AuthorTopic: Windows Software Restriction Policy (Read 9314 times)

I guess that many VL users also use Windows, or at least have to support people who do. The biggest problem I have (here in Cambodia) supporting Windows is preventing viruses from messing up the machines. Mostly these attacks occur when users install cracked software or simply plug in an infected USB flash drive. Antivirus software is of limited use, while software such as Deep Feeze has its own problems.

Recently I came across a feature available in Windows XP and Server 2003 (and more recent versions I presume) which has proved very effective in preventing viruses from installing. It's been available for a long time so I don't know why I haven't come across it before. It's called a Software Restriction Policy and is applied via Group Policy. Basically it limits the running of programs to those which have been previously installed in the Windows and Program Files folders. You can apply it to all users or you can exclude Local Admins, but to make it effective you have to make users log in as Limited Users so that they can't copy files to Windows or Program Files and run them from there.

Once the policy is in force users cannot run any executable from a flash drive or even from their own documents folder on the hard drive. So they can't run or install new programs, nor can they accidentally install a virus. It is very effective at stopping viruses, bit don't expect your users to love you when they find they can't run all the portable apps they keep on their flash drives!

Joking apart, it does have implications for the users, so you need to ensure that they have all the programs they need already installed before you lock down the computer. Luckily it's quick and easy to temporarily reverse the policy in order to install extra software when needed.

Has anybody tried this yet?

Andy

P.S. I haven't detailed how to apply the Software Restriction Policy as there are many comprehensive articles on the net.

Are all computer connected to an Active Directory? AD with GPO (Group Policy Object) is a very handy and powerful tool for any administrator in a full windows based architecture. It will take a lot of testing due to some program that need administrator right to execute.

This blog have some good advise for running LUA (Limited User Account) in windows

You're right GrannyGeek, it's for XP Pro only unfortunately, I forgot to mention that. Some companies do try to restrict the use of flash drives, but it's not easy. Should you disable USB in the BIOS (no printer?) or put glue in the ports? Or just rely on company policy? If you can use a software restriction policy then you don't have to worry about malware from USB drives. You might still be worried about data theft of course...

Some nice links there, hata_ph, thanks. As they show, there are often ways around the need for programs to run as administrator, some relatively trivial, some not. And some, such as WAMP server, have defeated me (so far). For relatively simple set-ups it seems worth the effort, but I can imagine that for systems with lots of uncommon programs it might be more trouble than it's worth. Still, the alternatives (virus scanners, updates etc) take time and effort too.

And yes, Group Policy via AD is a very powerful tool for locking down clients. Wouldn't want to be without it!

This thread should be read by anyone who is thinking of dual booting. Lots of trouble, for what? I still fail to see any legitimate need for anyone to run windows. I certainly don't miss it. Windows makes its way by use of legal, economic and political force. Linux makes its way on the merits.

The needs of most home users can be met with free software, but there are still a lot of professional applications which require Windows. Fortunately, those who frequent this forum have the skills and knowledge to run multiple os's.

Sledgehammer I do agree with your point. Unfortunatley alot of my clients are forced ti use Windows due to the programs that are needed. The solutionthat I use is to keep the Windows machines offline except the internal network.

This thread should be read by anyone who is thinking of dual booting. Lots of trouble, for what? I still fail to see any legitimate need for anyone to run windows. I certainly don't miss it.

Speak for yourself! Who are you to judge what is or isn't a "legitimate need"? I don't use Windows often but when I need it, I need it. I have a serious greeting card hobby and have about 14 greeting card and consumer graphics programs installed in Windows. It's much, much easier and faster to find suitable graphics and verses with a comprehensive greeting card program than to search on the Web. Another reason I need Windows for this is that the printer driver for the Epson inkjet printer I usually use does better, truer color than the Linux driver.

I also need Windows for some things I do with my Sony Clie PDA. For loading something into Documents to Go, I need the Windows desktop program. This is also true for getting photos into the Clie. They have to be converted to a Clie format with PictureGear. If I want to sync e-mail for reading on the Clie, I have to use Outlook Express or Eudora. I use Plucker to get Web pages into the Clie and have been usuccessful in getting the Linux version to work at all. The Windows version works easily. J-Pilot in Linux works well for what it does, but for the uses above, I have to go to Windows because I can't get the conduits in Linux. The Clie is years old and was discontinued several years ago, so there's nothing new coming down the pike as far as Linux versions for the programs I mentioned. I'm just very grateful to have J-Pilot.

I can't think of anything else I need Windows for. I don't have problems with viruses, worms, trojans, etc. Nobody else uses the computers, so I don't need Group Policies, restrictions on thumb drives, etc. I won't use Linux instead of Windows just for political or philosophical reasons. I use whatever does the best job for what I need to do. Most of the time it's Linux, but sometimes I do need Windows.--GrannyGeek

I am in no position to disagree with your need to use windows for certain purposes. However, I would lament rather than tout any such need. I was out at Best Buy the other day and every non-apple computer there apparently came equipped with windows. I suspect that Dell, HP and Sony would claim that they "needed" to have windows on all of their computers on display for some reason but I doubt that reason is legitimate. Instead, I suspect that this "need" is grounded somehow in the Micosoft monopoly. I recall not too long ago that many who used WordPerfect found a "need" to switch to Word as Word Perfect too often crashed, only to later find that Microsoft had inserted code into its Windows operating system which was designed to make Word Perfect run poorly. I recall that for these and similar reasons, under Clinton, the Dept. of Justice' antitrust division was busy trying to break Microsoft into three companies, basically Windows, Word and Internet explorer, and that when Bush got elected he put a stop to it. I am aware that many disagree with my contention that monopoly is the cancer of capitalism. In any event, when I say "legitimate" need, I admit that I may read more into that word than do others. Sorry if I offended you.

I recall not too long ago that many who used WordPerfect found a "need" to switch to Word as Word Perfect too often crashed, only to later find that Microsoft had inserted code into its Windows operating system which was designed to make Word Perfect run poorly. I recall that for these and similar reasons, under Clinton, the Dept. of Justice' antitrust division was busy trying to break Microsoft into three companies, basically Windows, Word and Internet explorer, and that when Bush got elected he put a stop to it.

Ahhhh, that old wive's tale again? I submit that MS didn't purposely code Windows to "break" WordPerfect, but rather the developers of Word Perfect were ALWAYS behind the times and rarely had a stable product in time for each new Windows release. In fact, Windows 95 was out for months before WordPerfect had a stable product for that platform. And the first versions for Windows 95 were still installed via the DOS prompt.

Don't blame Microsoft for WordPerfect's dismal failure to create good products in a timely manner. The reason why there was an anti-trust suit against MS was because of the way Microsoft was bundling their software with the OS. Not because they supposedly coded Windows to break other applications. WordPerfect for DOS was a stellar product. WordPerfect for Windows was a dismal failure and you need to look no further than the developers of the product to place any sort of blame.

There are a myriad of reasons why someone would need to keep Windows. Legacy applications, continuity, training, etc. are all reasons why a company or user would rather stick with Windows than attempt a complete change over to a new OS. To state otherwise is no better than the Apple fanbois claiming their OS is better than anything else, just because it's not Windows.

Not at all. I never take disagreement personally. It would be a dull world if we all thought alike.

I suspect that the main reason you find nothing but Windows or Mac computers in a big-box store is that the computer makers--and the store--want what sells. Various retailers have offered Linux computers, Walmart being one, but they didn't sell well and supposedly had high rates of returns. There are reasons this may have been the case (we don't know for sure), but these computers were mostly rather miserable machines, albeit very inexpensive. The buyers may well have not known what they were getting into and were just going for the cheapest computer. Don't forget that huge numbers of computer users don't know what an operating system is. If you ask them they may say "Word" or in older times, "AOL." So they would have no idea what "Linux is the OS" means. When they try to use the machine and install Word or Office or Print Shop and find that they can't, they are inclined to return the computer, not switch to something else.

I'd dare say *most* computer users aren't very interested in hardware or operating systems. They don't want to learn new things. They go with what they know. This is one reason Linux hasn't made much headway on the desktop. We also need to recognize that not everybody who tries Linux stays with it or even likes it. I have several cyber acquaintances who went back to Windows after giving Linux a try. I think people need some motivation to switch. Absent hatred of Windows or Microsoft or a philosophical dedication to open source, why would someone switch? For me, it's a question of fun. Yes, fun. I think Linux is way more fun than Windows. To be able to do what I want to do and have fun at the same time increases with every release of VectorLinux. No way I'd want to give that up!--GrannyGeek

I suspect that the main reason you find nothing but Windows or Mac computers in a big-box store is that the computer makers--and the store--want what sells. Various retailers have offered Linux computers, Walmart being one, but they didn't sell well and supposedly had high rates of returns. There are reasons this may have been the case (we don't know for sure), but these computers were mostly rather miserable machines, albeit very inexpensive. The buyers may well have not known what they were getting into and were just going for the cheapest computer.

--GrannyGeek

This is one of those cheap, miserable, Walmart-sold machines. After VL 6 light, it's still cheap, yet for the first time no longer at all miserable. Original OS was a "branding" of Ubuntu. Updating mistakenly resulted in mis-installation of Ubuntu proper. If I didn't enjoy this kind of thing, I'dve returned it, too. Even properly installed, *ubuntu, even xubuntu, is too much overhead for a single-core 32-bit; VL light runs marvelously. The speed compares to vanilla NetBSD default (yep, that's right, TWM and nothing else). The installation and configuration, of course, thankfully don't compare at all.

The manufacturer, Everex, went out of business. The mobo maker, First Computer, is now shying away from VIA. Not that that's a bad thing, but costs go up for the switch to AMD or Intel.

This kind of machine is still needed. Walmart grabbed every machine they could get out of the defunct company, problems or no. Some large retailer, probably Walmart, would be very interested in a good package of really-ready-to-go VL light and this exact platform (I'd switch wireless card). It'd probably definitely interest the vendors of the hardware and fill a gap and a need.